"ibm-auth-api":{}

This section configures the connection to the Verify server.

Format

    "ibm-auth-api":{
        "client-id":"xxxxxxxx",
        "obf-client-secret":"xxxxxxxx", 
        "protocol":"https",
        "host":"xxxxx.verify.ibm.com",
        "port":443,
        "max-handles":16
    },

Values:

"client-id":"84e8da25-d7ed-47cc-9782-b852cb64365c"

This value is required. An IBM® Verify API client must be created for use by the IBM Verify Gateway for RADIUS server. See Configuring the IBM Verify Gateway for RADIUS server for the access settings it requires. An example of a client-id might be

"84e8da25-d7ed-47cc-9782-b852cb64365c"

“obf-client-secret”:"KsjKZsKrbbgNaPe7+kYIcOyWzZdzYNtF4KlCyYoNEFA="

This value is required. The IBM Verify API client is given a client-secret (password) when it is created and must be set in this configuration setting. The obf-client-secret is the client-secret in an obfuscated form. For Windows operating systems, use the IbmRadius.exe -obf client-secret command to generate the obfuscated client-secret value. For Linux operating systems, use the

/opt/ibm/ibm_radius/ibm_radius_64 -obf
client-secret

command to generate the obfuscated client-secret value.

Note: This obf-client-secret can alternatively be provided in clear text by using the "client-secret" option instead. For example.

"client-secret”:"xxxxxxxxxx"

"protocol":"https"

This value is optional and defaults to “https”. This protocol is used to communicate to the IBM Verify server. Either value, “http” or “https”, can be used. When https is used and the cacert.pem file is present, the IBM Verify server certificate and server name are validated.

"host":"slick.verify.ibm.com"

This value is required. It identifies the IBM Verify server that you are using.

"port":443

This value is optional and defaults to 443. This port is the port that the IBM Verify server is listening on for requests.

"max-handles":16

This value is optional and defaults to 16. This value is the maximum number of parallel connections that the IBM Verify Gateway for RADIUS server makes to the IBM Verify server for user authentication.

"token-type": "Bearer"

Specifies the access token type of "access-token".

"access-token": "{token}"

Specifies the access token to use for the tenant. This is an alternative to using "client-id" and "client-secret" options if the access token is already known.

"ca-path": "{path-to-ca-file}"

Specifies a file with a list of permitted certificate authority signers of the IBM Verify tenant server certificate. This text file contains one or more PEM CA public key certificates in base64 format.

By default it uses the cacert.pem file located in the configuration file directory.

"proxy": "{proxy-uri}"

This value is optional and defaults to not using a proxy, and to use direct connections. Set the proxy to access the IBM Verify tenant. The values is a host name or a dotted numerical IP address. A numerical IPv6 address must be written within [brackets]. To specify port number in this string, append :[port] to the end of the host name. The proxy's port defaults to port :1080. The proxy string can be prefixed with [scheme]:// to specify which kind of proxy is used.

Note: *http:// - HTTP Proxy. The default type when no scheme or proxy type is specified.

https:// - HTTPS Proxy.
socks4:// - SOCKS4 Proxy.
socks4a:// - SOCKS4a Proxy. The proxy resolves the URL host name.
socks5:// - SOCKS5 Proxy.
socks5h:// - SOCKS5 Proxy.

A proxy host string can also include a protocol scheme http://, an embedded user, and a password.

"proxytunnel": true

This value is optional and defaults to true if the proxy is enabled.

Set the proxytunnel argument to true to make the IBM Verify tenant operation tunnel through the HTTP proxy. Using a proxy is different than to tunneling through it. Tunneling means that an HTTP CONNECT request is sent to the proxy, asking it to connect to a remote host on a specific port number and then the traffic is passed through the proxy.

Note: Proxies can restrict the specific port numbers that it allows CONNECT requests to. Typically, only ports 80 and 443 are allowed.

"origin-user-agent": "IBM Security Verify"

Specifies the user agent send in the request to initiate a push (device) transaction.

"connect-timeout": 10

Specifies the maximum time in seconds that you allow the connection phase of an operation against IBM Verify tenant REST API to take. This timeout only limits the connection phase. It has no impact once connected.

"timeout": 40

Specifies the maximum time in seconds that you allow an individual tenant REST API operation to take.

"proxy-ca-path": "{path-to-ca-file}"

Specifies a file with a list of permitted certificate authority signers of the proxy server certificate. This text file contains one or more PEM CA public key certificates in base64 format.

By default it uses the cacert.pem file located in the configuration file directory.

"crl-file": "{path-to-crl-file}"

Defines the CRL for validating the certificate of the IBM Verify tenant REST API server.

The option value specifies a file containing a concatenation of CRL (in PEM format) to use in the certificate validation that occurs during the TLS exchange with the IBM Verify tenant REST API server.

"proxy-crl-file": "{path-to-crl-file}"

Defines the CRL for validating the certificate of the proxy server (not the targeted IBM Verify tenant REST API server).

The option value specifies a file containing a concatenation of CRL (in PEM format) to use in the certificate validation that occurs during the TLS exchange with the proxy server.

This option is not supported on Windows™.

"revoke-best-effort": false

For the TLS communication to the IBM Verify tenant REST API. This indicates if it should ignore certificate revocation checks in case of missing or offline distribution points for those TLS backends where such behavior is present. This option is only supported on Windows.

"no-revoke": false

For the TLS communication to the IBM Verify tenant REST API. This indicates if it should disable certificate revocation checks for those TLS backends where such behavior is present. This option is only supported on Windows, with an exception in the case of Windows Untrusted Publishers block list which it seems cannot be bypassed. This option takes precedence over "revoke-best-effort".